Help Center
News
Help Center
News
Getting Started
Compliance Settings
IT Settings
Risk Settings
Risk SettingsThe process risk modelThe Asset Risk ModelMaturity model
Modules
Sharing & Group functions
Assessments
Features
How-To Guides & Tips
Get Help
Release Notes

The process risk model

Organizations must assess the risks to affected persons (data subjects) for each processing activity involving personal data. A Process Risk Model (or ROPA Risk Model) is used to standardize this evaluation. The most common model is a 5x5 additive model, featuring five levels of likelihood of occurrence and five categories of damage.

The additive model assigns numerical values to both likelihood and damage levels. These values are added to calculate a risk score, which is then converted into a risk category. This straightforward approach is ideal for evaluating ROPA or process risks.

Setting Up the Risk Model

Navigate to the risk settings by clicking the gearwheel in the upper right corner and selecting Risk settings. You need data protection or IT security manager privileges to access the risk settings. 

Click the Edit button to set up or adjust the Process Risk Model.

Likelihood of occurrence

You will define the likelihood levels and their contributing factors.

Defining Levels

  • There are five levels: Very Low, Low, Medium, High, and Very High.
  • Assign a meaning to each level using the dropdown menu, for example:
    • Very Low: Every 5 years
    • Low: Every year
    • Medium: Every month
    • High: Every week
    • Very High: Every hour

 

Likelihood Types

  • Define factors that influence likelihood, such as:
    • Processing frequency: The more data processed, the higher the likelihood.
    • Abuse interest: Higher interest increases the likelihood.
    • Effort for abuse: Greater effort reduces the likelihood.
  • Assign numeric values to each likelihood type for every level:
    • Example Processing Frequency: Very Low = 1, Low = 2, Medium = 3, High = 4, Very High = 5
    • Customize values to make certain types more significant.
  • Add more types by clicking the plus symbol.

Don't hesitate to contact our onboarding specialists if you need help to define the most suitable likelihood types for your organization.

Damage scale

Once you've completed the likelihood section, proceed to the damage scale.

Start by describing the levels of damage. Standard definitions are provided, ranging from Negligible to Critical. You can use these default definitions or create your own.

Damage types for affected persons can include, for example, health, social, or financial damage.

  • Enter each relevant damage type into the Add new label field. 
  • Assign a numeric value to each level of the damage scale.
    • The default model uses a linear scale, where, for example, health-related damage is weighted from Negligible (1) to Critical (5).
    • Alternatively, you can use an exponential scale, doubling the values: 1, 2, 4, 8, 16.
  • Click the plus symbol on the right side to add more damage types.

Point Scale

Once the likelihood and damage scales are defined, a point scale will appear, weighting all previous entries. You can adjust the thresholds by clicking and dragging them to the desired position.

Target Risk

Lastly, you select the general Target Risk for your record of processing activities. By default, this is medium. After clicking Save, you can start evaluating the risks of your processing activities. The article⁠⁠⁠⁠⁠⁠⁠ about the Register of Processing Activity will explain that in detail.

 

Was this article helpful?

English
Powered by Product Fruits